Yes, of course you encrypt those, but you also need to link any page which can link to those as well, otherwise an attacker could put a link on the page which goes to their cred harvesting page instead of the secure login page.